Hi folks, I am responsible for the packaging of openssl for Debian Linux. Now we have some problems with the license issues. You point out good enough that some of the algorythms in the package have copyright or license issues. With the Debian policy it is not allowed to include nonfree software. nonfree software has to go into the nonfree section. We could build a version which lacks the problematic parts, but then again the sources must be free of this code too. But this would mean to change the original upstream source package which is agains the Debian policy to include the original sources and patches. The best solution would be to have a separated openssl archive with all the nonfree parts in it, so that we would have a completely free openssl base package with a nonfree addon. GnuPG uses the same method. What do you think about that? Christoph Martin
Package: libssl09 Version: 0.9.4-5 Severity: grave libssl09 is compiled with several algorithms that are patented in several countries according to the README of openssl: PATENTS ------- Various companies hold various patents for various algorithms in various locations around the world. _YOU_ are responsible for ensuring that your use of any algorithms is legal by checking if there are any patents in your country. The file contains some of the patents that we know about or are rumoured to exist. This is not a definitive list. RSA Data Security holds software patents on the RSA and RC5 algorithms. If their ciphers are used used inside the USA (and Japan?), you must contact RSA Data Security for licensing conditions. Their web page is http://www.rsa.com/. RC4 is a trademark of RSA Data Security, so use of this label should perhaps only be used with RSA Data Security's permission. The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy, Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should be contacted if that algorithm is to be used, their web page is http://www.ascom.ch/. libssl09 has to be compiled without these algorithms or it has to go to non-US/non-free. -- System Information Debian Release: 2.2 Architecture: i386 Versions of packages libssl09 depends on: ii libc6 2.1.3-10 GNU C Library: Shared libraries an
